[Bug] javax.security.auth.kerberos.KeyTab returns unrequested keys
Wei-Jun Wang
weijun.wang at oracle.com
Mon May 6 19:55:17 UTC 2024
Hi Michael,
Thanks for the report. It seems not conforming to the RFC strictly but I hesitate to make a change now.
The getKeys() method uses the PrincipalName.match() method to compare principal names in case-insensitive style. The same method is also used to locate a ticket from a ccache file. This has been true from the beginning of JGSS before it became a part of Java SE 1.4. There must be a history on why it's coded this way, probably relate to what you said MS deviates from the rule.
That said, I would look into the code to see if this might return the wrong key when decrypting the authenticator in a AP-REQ. If there is any bug there, I'll fix it. On the initiator side, I will also see if it can help locating the correct ticket.
Thanks,
Weijun
> On May 6, 2024, at 1:14 PM, Osipov, Michael (IN IT IN) <michael.osipov at innomotics.com> wrote:
>
> Folks,
>
> consider the following code:
>> KeyTab keytab = KeyTab.getUnboundInstance(new File("..."));
>> KerberosPrincipal principal = new KerberosPrincipal("foo$", KerberosPrincipal.KRB_NT_PRINCIPAL);
>> KerberosKey[] keys = keytab.getKeys(principal);
>
> Let's check the keytab for etype 18 only:
>> 10 2022-08-04T11:55:55 foo$@AD001.SIEMENS.NET (aes256-cts-hmac-sha1-96)
>> 10 2022-08-04T11:55:56 FOO$@AD001.SIEMENS.NET (aes256-cts-hmac-sha1-96)
>> 11 2024-05-06T18:21:28 foo$@AD001.SIEMENS.NET (aes256-cts-hmac-sha1-96)
>> 11 2024-05-06T18:21:29 FOO$@AD001.SIEMENS.NET (aes256-cts-hmac-sha1-96)
>
> My expectation is that I get exactly *two* returned because according RFC 4120 KerberosString is case-sensitive (I know that MS Kerberos deviates from), but the method returns me *four* keys because PrincipalName performs a case-insensitive match [1]. Comparing two equal keys with KerberosKey#equals() gives me false because the principal is compared case-senstively [2].
>
> Is this considered as a bug?
>
> Michael
>
> I am on latest Java 8, but code looks identical for Java 22.
>
> [1] https://github.com/openjdk/jdk/blob/a8b3f194e811eed6b20bce71c752705c7cd50d24/src/java.security.jgss/share/classes/sun/security/krb5/PrincipalName.java#L616-L637
> [2] https://github.com/openjdk/jdk/blob/a8b3f194e811eed6b20bce71c752705c7cd50d24/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosPrincipal.java#L259-L261
More information about the security-dev
mailing list